Adversarial Filtering Based Evasion and Backdoor Attacks to EEG-Based Brain-Computer Interfaces
Lubin Meng, Xue Jiang, Xiaoqing Chen, Wenzhong Liu, Hanbin Luo, Dongrui Wu
TL;DR
This work exposes security vulnerabilities in EEG-based BCI systems by introducing two filtering-based adversarial attacks: a universal adversarial filter for evasion and the same filter serving as a backdoor key for poisoning-based attacks. The evasion approach formulates a shared filter $\mathbf{W}$ that minimizes a combination of cross-entropy loss and distortion, optimized with binary search to force the filtered data to the chance level across multiple models and datasets. The backdoor approach poisons training data with filtered samples to embed a backdoor that triggers the target class when inputs are processed by the same filter, achieving high ASR with minimal impact on benign performance. Across three EEG datasets and various architectures, both attacks prove effective and transferable, underscoring an urgent need for defenses and secure signal-processing practices in BCIs.
Abstract
A brain-computer interface (BCI) enables direct communication between the brain and an external device. Electroencephalogram (EEG) is a common input signal for BCIs, due to its convenience and low cost. Most research on EEG-based BCIs focuses on the accurate decoding of EEG signals, while ignoring their security. Recent studies have shown that machine learning models in BCIs are vulnerable to adversarial attacks. This paper proposes adversarial filtering based evasion and backdoor attacks to EEG-based BCIs, which are very easy to implement. Experiments on three datasets from different BCI paradigms demonstrated the effectiveness of our proposed attack approaches. To our knowledge, this is the first study on adversarial filtering for EEG-based BCIs, raising a new security concern and calling for more attention on the security of BCIs.